TDSS

 I won't go into the steps that preceded catching the worst virus I've ever had, but suffice it to say, I did not expect the awful consequences that followed.
As a computer professional; that is to say that I get paid for sorting out computer problems, I feel relatively comfortable about getting rid of things like viruses and Trojans and the like. Several times a week I am asked to resolve a computer running slowly or some specific problem like inability to use the Internet or receive mail.
Mostly I use experience and a handful of clever programs to put things right.

Experience is the key, as there are a myriad of things about which one needs to know in order to get things working as they were previously. Mostly, it's nothing to do with a virus or a Trojan, it's just that the computer has too much to do or a new badly written program has been installed. I imagine that somewhere in the world an unrealistic timescale was placed on a task, and a clumsy, half debugged piece of code was released to the general public, say by a printer manufacturer.

One day in the middle of February 2009, I installed some software to resolve an issue with one of my favourite application programs. I should have smelled a rat when I got a message about the code not being recognised as a 32-bit application. I checked some notes that accompanied the program and found the answer. I would need to rename the setup file. This I duly did and was rewarded, if that is the correct expression, by lots of unpacking of files and an air of general progress. Admittedly a message popped up warning me about suspicious activity and did I "want to continue". Assuming that all was well I gave my permission and things continued apace, however instead of the procedure completing in the normal way with various comforting messages, mentioning success and did I want to "read some information", or just "use the program", things just stopped in midstream as it were. I waited.....but to no avail and it suddenly dawned on me that I had made a bad decision to allow the suspicious activity to proceed.

I can't recall exactly the sequence of events that followed, but lots of things did happen. Thankfully not the sort of things that used to happen in days of old. In the days of "386" computers viruses were incredibly nasty, resulting in failure to boot or unexpected reformatting of one's hard drive. Virus writers have got more inventive as years have passed. I remember tackling a computer a few years ago that had been losing EXE files. Eventually ALL its EXE files had been deleted and a virus scan had revealed something like 34,000 virus-infected files. Nowadays all manner of really horrible things are done by viruses, but not often as catastrophic as losing all your data.

What did I notice? I lost the Folder Options tool so I couldn't see hidden files. System Restore wouldn't start and the Registry Editor wasn't accessible. AVG wouldn't open. SpyBot Search and Destroy wouldn't open. Control-Alt-Delete wouldn't start Task Manager. Special investigative tools refused to open, and worst of all Internet access was compromised. I say worst of all because the Internet is the quickest way to gain help… type in the name of a suspicious-sounding file name and instantly there is advice on dealing with it.

Unfortunately, these days it isn't as easy as it used to be. There are too many people offering stupid ill-informed advice and one has to filter results in order to find advice from people that know what they're talking about. I typed a few words into Google. Up came a results page offering several interesting snippets. I chose one that looked promising and after an unexpected delay got the wrong page. It was simply rubbish. I tried several times and soon noticed that the hyperlink was being modified by the addition of one of a selection of phrases, including "WindowsClick" and other examples. The resultant web page was either nonsense or, more generally, not available.
I tried different search providers and eventually found one that worked without the annoying redirect. It was an Irish search provider with a strangely spelled name, and worked, but not wonderfully. Still lots of development needed, but at least I could now browse around potential solutions to my problems.

Strange thing were going on with websites like Ancestry or even the Beeb. Layout was peculiar, pictures were sometimes missing and links did not always work and hanging was frequent.

Using one or two Windows commands including "gpedit.msc" and "services.msc" I managed to unlock several features. I got back Folder Options for example, and I also got back my Fast User Switching. My wife and daughter had complained that they couldn't access their desktops and I'd found that in order to do this the computer had to be rebooted and a specific user selected. Anyway I got Fast User Switching back after discovering a line in the Registry that was hijacking the feature.

The cure involved the download of a special tool which edited the Registry. By then I'd got Regedit working but deleting the hijack code wasn't permanent. Each time I reopened Regedit I found the code had returned.

I was a little concerned now that AVG had been neutralised. Certainly Ad-Aware was running but apparently oblivious to problems and AVG was probably also toothless and probably inoperative. I remembered that the CD for my new motherboard carried a 3 month trial of Norton Internet Security so I dug it out and tried it. Much to my surprise I was able to install it, update it and run it. Quite a few viruses were identified and deleted but, as is common with many anti-virus programs, sorting out the consequences of a bad virus is left to the user to sort out, and downloading fix tools from Symantec proved fruitless and a waste of time, probably because they had mis-identified the virus.

By now, a couple of days had passed and things were gradually clarifying, but I still didn't know the name of the virus. Most of the missing facilities and tools had been sorted out except System Restore and there was still a selective filtering out of useful programs.

I even managed to get rid of the redirects in Internet Explorer. This was an interesting exercise in itself.

I reasoned that perhaps Firefox would be immune from the webpage redirects. After all, lots of advice I'd seen advised ditching Internet Explorer and adopting Firefox. This was the ONLY solution in the minds of many learned experts. I had the devil of a job finding Firefox and downloading it, but eventually I had it installed and working. Now I could do some more research and resolve all my problems I thought…. but no… Firefox was compromised too. I still couldn't search the Internet except with that Irish search engine that gave wishy washy results. I'm sure it'll get better as time progresses, but just now it's only a poor relation.

Maybe if I reload Internet Explorer 7 I thought…. but the dratted virus had blocked the Microsoft website. Downloads were tantalisingly near but I couldn't get to them. I can't recall exactly how I managed in the end. I think I'd resorted to using my laptop computer and downloading the software then using a memory stick but eventually I was installing a beta version of Internet Explorer 8.

Everything didn't go that smoothly. I had to use a little trick to get round the virus. It seems the thing was stopping anything useful from being installed or running, but if one renames a program to a COM file from an EXE file it would run quite happily.
Anyway Internet Explorer 8 was installing quite nicely when it came to a group of questions…. Did I want to install everything from version 7? I certainly didn't want the redirect add-ons so elected NO. During the ensuing dialogue this was the first time I'd seen the Internet redirect programs mentioned by name. I duly elected NOT to include these and was rewarded by proper Internet access for the first time in several days.

Internet Explorer 8 at first sight appears to be very similar to version 7 but it crashes fairly frequently. At least it works properly when it's working, so I'll leave it for the time being.

With the redirects terminated I could use a decent search provider and I could now look around for further solutions and maybe get rid of the virus completely?

Setting aside my failing System Restore, I reasoned that because SpyBot had been disabled, maybe the solution was to sort this out first? I emailed the proprietors of SpyBot and waited. During the next few days the computer worked tolerably well. Not perfectly though as it was temperamental in booting up, often stopping half way until I'd turned off the power and done a cold start. One day I looked in the BT-Yahoo Spam box and found residing here an answer to my request for help. BT-Yahoo has an over zealous spam detector. Try our new Rootkit tool the email from Team Spybot advised.

This was a turning point. A whole new area of expertise was uncovered. I found out about Invisible files… not Hidden or Super-Hidden, but files not recognised by Windows. Running the new Rootkit tool exposed a set of a dozen such files starting with the letters "UAC". With this information I was then able to finally identify the virus as TDSS or BHO Windowsclick.

Identification of the rogue files was one thing, deleting them was another. Try as I might I couldn't delete the dratted things. I couldn't even see them. Various advice was proffered on the Net including using Delete from the command line (didn't work), using the Windows CD (with a Raid system like mine that is fraught with danger) reformatting one's hard drive (defeatism) and using a special tool called "MalwareBytes" (a great idea).

I found a MalwareBytes download and, as had been suggested in the rest of the discussions in the forum where it had been mentioned, it wouldn't run. Clearly the virus was intercepting the run instruction and preventing further information from showing up on the screen. I remembered the simple trick of renaming the executable file as a COM rather than an EXE and tried again.

Success. MalwareBytes ran and identified a whole pile of malware including the same files identified by the Rootkit tool from the SpyBot people. Was this going to be one of those programs that purported to be free but wanted payment before taking action beyond printing its warnings?

I selected all the identified files and told it to delete them. To my surprise deletions followed except, that is, all the "UAC" files, which were the main culprits, however it did say that these would be deleted when the computer was rebooted.

I rebooted but just before I was able to log on there was an error beep. Of course I'd forgotten that I'd renamed the executive file… I opened the program folder and copied the COM file to the desktop, renamed it as an EXE and moved it back to the program folder. I left the COM file in case I had to repeat the procedure, but no… a second reboot was successful and when I ran the Rootkit tool I was rewarded with a clean sheet.

SpyBot then opened and updated properly, and it found lots of low-level spyware that had crept in during the last week.

I'm now armed with a few more skills to enable me to cope with bigger problems than I'm used to, including several new tools to identify and eliminate viruses.

To name a few... RootAlyzer, RkU3.8.341.552, RootkitRevealer, Filealyz, Termsvcfix, MalwareBytes, and Combofix.

return home